SaTC: CORE: Small: A Transparent and Customizable Android Container-Based Virtualization Architecture for Dynamic Malware Analysis

SaTC：CORE：Small：用于动态恶意软件分析的透明且可定制的基于 Android 容器的虚拟化架构

• 批准号: 2128703
• 负责人: Jiang Ming
• 金额: $ 50万
• 依托单位: University of Texas at Arlington
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-10-01 至 2023-02-28
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2128703&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Transparent; Customizable

With the success of Android mobile device markets, Android malicious software (malware) threatens billions of smartphone users. Driven by financial profit, malware authors are highly motivated to evade detection and to challenge forensics procedures. In the malware detection/evasion arms race, defenders apply analysis techniques that require a highly controlled environment to collect data about malware actions and gain insights into their intents, while still preventing malware from discovering that it is operating in an analysis environment. The project introduces a novel and customizable malware analysis environment capable of handling evasive Android malware. The software artifacts generated and made publicly available to the open-source community have the potential to revolutionize the way analysts perform forensics tasks, thus protecting smartphone users and their Android devices against cyber-attacks. Furthermore, this project, performed in a Hispanic-serving institution, involves recruitment of students from under-represented groups in computing. This project innovatively applies container-based virtualization to address the long-standing challenge of efficiently analyzing evasive malware. Current Android malware dynamic analysis platforms (i.e., Android emulators and bare-metal machines) have limitations. Powered by the transparent and customizable virtual environment, this out-of-the-box malware analysis approach overcomes existing analysis techniques' limitations and amplifies their benefits. This analysis environment is more resilient against evasive malware than standard Android emulators. Furthermore, the environment is stealthier and provides better flexibility and productivity for analysis than bare-metal machines. The novel Android container architecture has cross-disciplinary contributions: it improves resource utilization, reduces hardware costs, thus advancing automated malware analysis and streamlining the tasks of malware analysts. Moreover, other researchers can develop new techniques to boost more powerful malware analysis methods, such as behavior-based malware clustering and evasive malware detection. The success of this research potentially revolutionizes dynamic malware analysis methods and tips the balance of the malware war toward the defender.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

随着Android移动设备市场的成功，Android恶意软件（malware）威胁着数十亿智能手机用户。在经济利益的驱使下，恶意软件的作者非常积极地逃避检测和挑战法医程序。在恶意软件检测/规避军备竞赛中，防御者应用需要高度受控环境的分析技术来收集有关恶意软件操作的数据并深入了解其意图，同时仍然防止恶意软件发现它在分析环境中运行。该项目引入了一种新颖的、可定制的恶意软件分析环境，能够处理规避的Android恶意软件。开源社区生成并公开提供的软件构件有可能彻底改变分析人员执行取证任务的方式，从而保护智能手机用户及其Android设备免受网络攻击。此外，这个项目在一个为西班牙裔服务的机构中进行，涉及从计算机领域代表性不足的群体中招收学生。该项目创新性地应用基于容器的虚拟化来解决有效分析规避恶意软件的长期挑战。当前的Android恶意软件动态分析平台（即Android模拟器和裸机）存在局限性。在透明和可定制的虚拟环境的支持下，这种开箱即用的恶意软件分析方法克服了现有分析技术的局限性，并放大了它们的优势。与标准Android模拟器相比，该分析环境对规避恶意软件更具弹性。此外，与裸机相比，该环境更加隐蔽，为分析提供了更好的灵活性和生产力。新颖的Android容器架构具有跨学科的贡献：它提高了资源利用率，降低了硬件成本，从而推进了自动化恶意软件分析并简化了恶意软件分析人员的任务。此外，其他研究人员可以开发新技术来增强更强大的恶意软件分析方法，例如基于行为的恶意软件聚类和规避恶意软件检测。这项研究的成功可能会彻底改变动态恶意软件分析方法，并使恶意软件战争的平衡向防御者倾斜。该奖项反映了美国国家科学基金会的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Chosen-Instruction Attack Against Commercial Code Virtualization Obfuscators

• DOI: 10.14722/ndss.2022.24015
• 发表时间: 2022
• 期刊: Proceedings 2022 Network and Distributed System Security Symposium
• 作者: Shijia Li;Chunfu Jia;Pengda Qiu;Qiyuan Chen;Jiang Ming;Debin Gao

PolyCruise: A Cross-Language Dynamic Information Flow Analysis

PolyCruise：跨语言动态信息流分析

• 发表时间: 2022
• 期刊: Proceedings of the 31st USENIX Security Symposium
• 作者: Wen Li, Jiang Ming

One size does not fit all: security hardening of MIPS embedded systems via static binary debloating for shared libraries

• DOI: 10.1145/3503222.3507768
• 发表时间: 2022-02
• 期刊: Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems
• 作者: Haotian Zhang;Mengfei Ren;Yu Lei;Jiang Ming

Towards Transparent and Stealthy Android OS Sandboxing via Customizable Container-Based Virtualization

• DOI: 10.1145/3460120.3484544
• 发表时间: 2021-11
• 期刊: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Wenna Song;Jiang Ming;Lin Jiang;Yi Xiang;Xuanchen Pan;Jianming Fu;Guojun Peng

Intelligent Zigbee Protocol Fuzzing via Constraint-Field Dependency Inference

通过约束场依赖推理进行智能 Zigbee 协议模糊测试

• 发表时间: 2023
• 期刊: In Proceedings of the 28th European Symposium on Research in Computer Security
• 作者: Mengfei Ren;Haotian Zhang;Xiaolei Ren;Jiang Ming;Yu Lei
• 通讯作者: Yu Lei